[4] Document.open() UAF via MutationObserver on Cross-Document Element
Severity: High | Component: WebCore DOM | 6767475
document.write 실행 중 firstDOMWindow에서 ASAN segfault가 관찰됩니다. 이는 document의 DOMWindow 연결에 대한 use-after-free 또는 null dereference에 부합하는 crash입니다. 트리거는 MutationObserver를 통해 web content에서 완전히 도달 가능합니다. 실제 fix는 별도 commit (300757@main, 이후 300886@main에서 reverted)에서 이루어졌으며, 이 commit은 regression test만 추가합니다. 따라서 diff 기반의 fix 메커니즘 분석에는 제약이 있습니다.
Patch Details
이 commit은 regression test만 추가하며, production 코드 변경은 포함되지 않습니다. 테스트는 DOMParser로 파싱된 document에서 element를 생성한 뒤, 메인 document에 document.open()을 호출하는 MutationObserver를 연결합니다. 이후 attribute를 설정해 observer를 발동시킵니다. 실제 fix는 300757@main에 반영되었다가 이후 300886@main에서 reverted되었습니다.
LayoutTests/fast/dom/Document/open-triggered-by-mutation-observer-on-element-from-a-parsed-doc-crash.html
+ const element = (new DOMParser()).parseFromString("<!DOCTYPE html><p>foo</p>","text/html").documentElement;
+ (new MutationObserver(_ => document.open())).observe(element, {attributes: true});
+ element.setAttribute("class", "bar");
+ document.body.innerHTML = "PASS if no crash.";
Cross-document element에 연결된 MutationObserver를 통한 re-entrant document.open() 호출이 실행 도중 calling document의 DOMWindow 연결을 무효화하는 패턴.
Background
MutationObserver는 관찰 중인 DOM 노드가 변경될 때 알림을 전달하는 DOM API입니다. Observer는 microtask checkpoint에서 JavaScript callback을 실행합니다. document.open()은 현재 document를 초기화하고 쓰기 준비 상태로 전환합니다. 이 과정에서 browsing context의 DOMWindow와의 연결을 포함해 document 상태 전반이 해제되고 재초기화될 수 있습니다. DOMParser는 browsing context 없이 markup으로부터 새 Document를 생성합니다. 이렇게 생성된 document의 element에는 live frame이나 window가 없지만, 어느 document에 속한 MutationObserver든 해당 element를 관찰할 수 있습니다.
Analysis
테스트 케이스를 통해 트리거가 드러납니다. DOMParser로 생성된 별도의 document에 속한 element에서 발동되는 MutationObserver callback 내부에서 document.open()을 호출하는 구조입니다. crash는 jsDocumentPrototypeFunction_write에서 호출된 WebCore::firstDOMWindow 내부에서 발생합니다. 이는 해당 context에서 document.open()이 실행되는 동안 document의 browsing context 또는 DOMWindow와의 연결이 무효화됨을 나타냅니다. 관찰 대상 element는 browsing context가 없는 parser 생성 document에 속합니다. attribute 변경 전달 중 mutation observer callback이 메인 document에 document.open()을 실행하면, call stack이 여전히 참조 중인 상태가 무효화될 가능성이 있습니다.
Aaa Aaaaa Aaaaa a Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a a Aaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaa Aaaaa Aaaaa Aaa Aaaaaaa Aaaaaa Aa Aaa Aaa Aaaaa Aaaa Aaa Aaaaaa Aaaa Aaaaaaaaaaaa Aaaaaa Aaaa Aaa Aaaa Aaaa Aaa Aaa a Aaaaa
Aaaaa
Aaaaa Aa a Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaa Aaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa
Aaa
Aaaa Aaa Aa Aaaa Aaaaaaaaaaaa Aa Aaaaaaaaaaa Aaa Aa Aaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaa Aaa Aaa Aaaaaaa Aaaaaa Aaaaaaaaaa Aaaaaaa a Aaaa Aaaaaaaaaa Aa Aaaa Aaaaa Aa Aaa Aaaa Aaaaaaaaa Aaaaaa Aaaaaaa Aaaaaa Aaa Aaaa
a Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaa Aaa Aaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaaaaa Aa Aaa Aaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaa a Aaaaa Aaa Aaaaaaaaa Aaaaa Aaaaaaa a Aaaa Aa Aaa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaa a Aaaa Aaaaaaaaaa Aa Aaaaaaa Aaaa Aaaaaa
Aaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaa Aaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaa Aaaaaaaa Aaa Aaa Aa Aaaaaaaaa Aa Aaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaa Aaa Aaaa Aaaaaa Aaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aa Aaaa Aa Aa Aaa Aaa Aaaa Aa Aaaaaa
Aaaaaaaaa Aa Aaa Aaa a Aaaaa Aaaa Aaaa Aaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaa Aaaaa Aaaa Aaa Aaaa Aa Aaa Aaaa Aaaaaaaa Aa Aaa Aaa Aaaaaaaaaa Aaaaaa Aaaa Aaaaaa
🔒Explores the document lifecycle and memory model implications of this crash, and whether it could escalate beyond denial-of-service
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaaa Aa Aaaaaaaaa Aaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aa Aaaaaaaa Aaa Aaaaa Aaa a Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaa Aa Aaaa Aaaaaaaaaaaaa Aa Aaaaaaaaa Aaaa Aa Aaa Aaaaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aa a Aaa Aa a Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaa Aa Aaa Aaaaaa
a Aaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aa Aaaaaaaa Aaa Aaaaa Aaa Aaaaaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaa Aaa Aaaaaaaaa Aaaa Aaaaaa Aaa a Aaaa Aaaaaa Aaaaaa Aaaaaa Aaaaaaaaaaaaaaaa Aaa Aaaaa Aa Aaaaaaaa Aa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaa a Aaa Aaaaaa Aaaaa Aaaaaa
a Aaaaaaaaaa Aa Aa Aa a Aaaaaaaaaaaaaaaa Aa Aaaaaaaa Aaaaa Aaaaaaaaaaaaa Aaa Aaaa Aaa Aaaaaa Aaaa Aaa Aaaaa Aa Aaaaaa Aaaaaaaa Aaa Aa Aaaaaaaaaaa Aaaaaaaa Aaaaaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaa Aaaa Aaaaaa
🔒Multiple re-entrancy audit patterns identified across document lifecycle operations, with concrete starting points for variant discovery
더 확인하려면 구독해 주세요